MVC5 Azure AD IDX21323

Question

My Azure Free subscription has expired. I've since been added to my companies Azure subscription but I can no longer use SSO with Oauth2 using AD.

VS2017 reports 0 subscriptions and when I go to Manage my subscription is listed, but I cannot enable it "This subscription is not supported by server explorer."

I'm assuming that I need to update something on our companies Azure subscription at this point, but I don't know what to request from management as far as subscription updates.

This worked flawlessly before my free subscription ran out.

I've tried the following SO questions:

Use Kentor.OwinCookieSaver: IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null

IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null

I've tried the following Microsoft Doc: https://learn.microsoft.com/en-us/azure/active-directory/develop/vs-active-directory-add-connected-service

I created a new MVC5 project and added the azure AD connected service with the same result.

I also cleared my cookies, and performed a "Clean" in VS2017.

    public void ConfigureAuth(IAppBuilder app)
    {

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri
            });
    }

Here is my exception: Server Error in '/' Application.

IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

* UPDATE *

I also tried this, and I think I identified part of the issue, but I still don't have a solution...

https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect/wiki/The-'nonce'-found-in-the-jwt-token-did-not-match-the-expected-nonce

From the source code in the above link: Method Call: MyOpenIDConnectAuthenticationHandler.RetrieveNonce(Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage message)

Line: string nonceCookie = Request.Cookies[nonceKey]; OwinRequest.Cookies is empty...

I also updated all of my Owin Packages from version 4.0 to 4.1 with no change.

Answer 1

The error above happens when the request to the application does not contain the nonce cookie.You can use the instruction below to capture a Fiddler trace containing the error.

http://blogs.aaddevsup.xyz/2018/09/12/capture-https-traffic-with-http-fiddler/

Additionally try something like below:

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
    {
        Notifications = new OpenIdConnectAuthenticationNotifications()
        {
            AuthenticationFailed = AuthenticationFailedNotification<OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> authFailed =>
            {
                if (authFailed.Exception.Message.Contains("IDX21323"))
                {
                    authFailed.HandleResponse();
                    authFailed.OwinContext.Authentication.Challenge();
                }

                await Task.FromResult(true);
            }
        }
    });

Additional reference:

IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null

Hope it helps.